Hospitals are facing a dilemma: There are calls for digitalizing processes, but new IT solutions also increase the security risks. What is your advice for hospitals?
Jens Pahl: Not digitalizing processes is not an option, that much is clear. And it’s not the case that the security risk necessarily increases with every new IT system. On the one hand, it depends on how secure the IT system to be procured is. On the other hand, hospitals – and their IT departments in particular – sometimes have a variety of options for action when it comes to minimizing the security risk that a new application may involve step by step. However, the most important thing is that hospitals take a systematic and strategic approach to all security-relevant aspects of process digitalization.
Tobias Mayer: That’s right. It’s easiest to imagine the procurement process of a new IT system as a timeline. You can then concentrate on the relevant issues and aspects in the individual phases. The most important thing – and in our experience, most hospitals are doing it exactly right – is that the topic of “security” is considered from the outset. While selecting possible solutions providers, you should already check whether they have security-relevant certificates and whether the IT system in question complies with the common security standards. If these matters are checked after a provider has been selected it’s too late.
You have already addressed an important issue: certifications and security standards. What else can hospitals look out for when selecting an IT solution or provider?
Tobias Mayer: One more thing about the certifications and security standards: According to the KRITIS provision, ISO 27001 and BSI standard 200-2 in particular are crucial for hospitals. In any case, it is advisable for hospitals to examine the level of importance the topics of IT security and protection of patient data have at the solutions provider. Does it have a security team that is dedicated exclusively to information security? Does it provide white papers on this matter? Does it work with common security principles like security-by-design, privacy-by-design, and privacy-by-default? Does the IT system offered provide decentralized data storage? Does the system work with roles and authorizations and is data pseudonymized? Does the system work with open standards such as HL7 FHIR? If the answer to these example questions is “Yes,” that’s no reason to sit back, but a good indicator that a number of principles of information security are observed.
Jens Pahl: Another important aspect with regard to GDPR conformity is that having server locations in Germany or at least the EEA makes it easier to observe the basic regulation.
The hospital has now gathered information on the solutions provider, the system, and the security-relevant aspects. What happens next?
Jens Pahl: One option for putting a new IT system through its paces is to install it in a secured section of the hospital network as a test. In test operation, you can check whether the system interacts smoothly with the hospital network. If this is not the case, it can be evaluated where else malfunctions occur without impairing the hospital network or operations. In this connection, it should also be ensured that information never leaves the hospital network and only data that is absolutely necessary is passed on to the third-party system. In addition, it should initially remain in the application for only as long as it is being processed. Subsequently returning it to the hospital network or forwarding it to other systems further increases the level of information security.
What precautions against cyber attacks can be taken aside from the internal search for errors? This is a realistic scenario for hospitals in particular.
Tobias Mayer: Absolutely right. A real cyber emergency where medical or patient data is lost, encrypted or – worse still – changed without this being noticed, is probably the worst case scenario for any IT department. What are known as pen tests can be performed as a precautionary measure here. They are real acid tests and present a major challenge to the IT and data security of a system or network. Penetration testing involves professional attacks on the system or network to be tested. It allows security gaps and weak points to be identified and risk potential to be analyzed. Using this as a basis, suitable adaptations can be made to close the security gaps before a real cyber attack can happen. Hospitals should check whether the solutions provider subjects its own systems to such pen tests and should also ask whether such a test can be performed in a secured section of the hospital network as well.
Mr. Mayer, Mr. Pahl, thank you very much.
Patient data, medical data, and health data – what does the law say?
Patient data is data that refers to a person but does not reveal anything about their mental or physical health without further information. The BSI (German Federal Office for Information Security) classifies such data either with regular (e.g. name and address data) or high protection requirements (e.g. tax number of insured person). From the perspective of data protection law, Section 6 of the GDPR regulates the processing of this information. In addition to the patient data, there is also health and medical data, which refer to a person and contain information about their mental and/or physical health. This data can include laboratory values on the person’s blood count, radiological records, or a photo that shows, for example, that the person wears glasses. Such data is highly sensitive and classified by the BSI in the highest protection requirement category. If the confidentiality, integrity, or availability of this data is restricted and if diagnoses are made or therapies initiated on the basis of changed data, this presents an immediate danger to life and limb of the person in question. This is why this data is granted special protection as “special categories of personal data” in Section 9 of the GDPR.